Ransomware/Malware Activity
SilentCryptoMiner Infects Over 28,000 Systems
SilentCryptoMiner, a malware designed to hijack system resources for cryptocurrency mining, has been downloaded on over 28,000 systems in Russia, Turkey, and Ukraine. The campaign behind these infections promotes the malware as legitimate software on YouTube and GitHub repositories, and hides in game cheat codes, trading bots, and pirated office-related software. The fake software downloads are contained in a password-protected zip file, which when opened drops obfuscated scripts, DLL files, and an AutoIT interpreter that launches the main payload. As with most modern malware, the malicious download checks for the presence of debugging tools prior to preceding. The malware hijacks legitimate Windows system services and browser update processes to ensure it is executed upon launch of those processes. The Ncat network utility is used for command-and-control (C2) communications. There are two (2) main payloads of the infection. The first is “DeviceId.dll” which executes the SilentCryptoMiner malware to mine cryptocurrency using victim machine resources. The second is “7zxa.dll” which monitors the Windows clipboard for patterns resembling a cryptocurrency wallet address and replaces the string with a different wallet address under the attacker’s control. Researchers have noted that this clipper functionality has stolen at least $6,000 worth of transactions by diverting victim funds to the attackers’ wallets. CTIX analysts recommend that organizations and individuals do not download software from unvetted sources or websites. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Disaster Relief Scams Increase in Wake of Hurricanes Helene and Milton
In the wake of Hurricanes Helene and Milton, federal agencies, including the Federal Trade Commission (FTC) and the Cybersecurity and Infrastructure Security Agency (CISA), have issued warnings about scams targeting disaster relief efforts. Scammers are capitalizing on these natural disasters by posing as legitimate charities, impersonating government officials, and offering fake disaster relief in exchange for money or personal information. The FTC has cautioned against paying for services through unconventional means such as wire transfers, gift cards, or cryptocurrency, and advises against signing over insurance checks to third parties. Cybersecurity experts report a rise in scams, including advanced fee fraud and too-good-to-be-true offers for purchasing damaged properties. Unlicensed contractors and individuals exploiting vulnerable disaster victims have been noted as well. In response to these threats, CISA has advised vigilance against fraudulent emails and social media messages containing malicious links or attachments. The agency stresses the importance of verifying the legitimacy of communications before engaging with them. Additionally, federal agencies are addressing the spread of disinformation and misinformation on social media platforms, which have intensified following Hurricane Helene. Efforts include a dedicated team to counteract false narratives and ensure accurate information dissemination.
Vulnerabilities
Mozilla Patches Critical Firefox Vulnerability Under Active Exploitation by Hackers
Mozilla has disclosed and patched a critical use-after-free vulnerability in Firefox and Firefox Extended Support Release (ESR) which is actively being exploited in the wild. The flaw, tracked as CVE-2024-9680, was discovered by ESET researcher Damien Schaeffer, and impacts the Animation timeline component within Firefox's Web Animations API. This vulnerability allows attackers to execute arbitrary code in the browser’s content process by manipulating freed memory, making it highly dangerous. The National Vulnerability Database (NVD) assigned it a CVSS score of 9.8/10, citing its low complexity and the fact that no user interaction or privileges are required for a successful exploit. In response, cybersecurity agencies in Canada, Italy, and the Netherlands have issued their own advisories due to the potential damage a successful attack could cause, despite the Dutch agency rating the likelihood of exploitation as medium. Mozilla has addressed the issue in Firefox 131.0.2 and ESR versions 115.16.1 and 128.3.1, and users are strongly urged to update immediately. This is the first major zero-day vulnerability patched by Mozilla since March, when it addressed similar critical issues demonstrated at the Pwn2Own Vancouver 2024 hacking competition. With the threat of the vulnerability being weaponized through drive-by downloads or watering hole attacks, ensuring that all users are on the latest versions is essential to prevent further exploitation. CTIX analysts recommend that readers make it a practice to regularly check to ensure their browsers are up-to-date with the latest patches to prevent exploitation.
- The Hacker News: CVE-2024-9680 Article
- Bleeping Computer: CVE-2024-9680 Article
- The Register: CVE-2024-9680 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
